Can I disclose personal information for a business purpose without complying with CCPA in Washington? What are the requirements?

Disclosure of Personal Information for Business Purpose in Washington

Washington has its own data breach notification law, RCW 19.255.010, which requires businesses to disclose any breach of the security of the system to any resident of the state whose personal information was, or is reasonably believed to have been, acquired by an unauthorized person and the personal information was not secured ^[1.1]. Notice is not required if the breach of the security of the system is not reasonably likely to subject consumers to a risk of harm. The breach of secured personal information must be disclosed if the information acquired and accessed is not secured during a security breach or if the confidential process, encryption key, or other means to decipher the secured information was acquired by an unauthorized person ^[1.1].

However, it is important to note that Washington does not have a comprehensive data privacy law like the CCPA ^[2.1]. Therefore, businesses in Washington are not required to comply with CCPA unless they collect personal information of California residents ^[3]. If a business collects personal information of California residents, it must comply with CCPA, regardless of where it is located ^[3].

In summary, businesses in Washington must comply with RCW 19.255.010 when disclosing personal information in the event of a data breach. If a business collects personal information of California residents, it must comply with CCPA, regardless of where it is located.

Source(s):

• [1.1] Personal information—Notice of security breaches.
• [2.1] Personal jurisdiction.
• [3] Personal information

Jurisdiction

Washington

• Privacy